If the complicated politics of internet governance continue to get in the way of upgrading the security of the net’s core technology, the internet could turn into a carnival house of mirrors, where no URL or e-mail address could be trusted to be genuine, according to Bill Woodcock, research director at the nonprofit Packet Clearing House.

“The National Telecommunications and Information Administration, an agency of the Department of Commerce, is the show-stopper here,” Woodcock said.

At issue is the trustworthiness of the domain name system, or DNS, which serves as the internet’s phone book, translating queries such as wikipedia.org into the numeric IP address where the site’s server lives.

Just weeks ago, security researcher Dan Kaminsky announced he’d discovered a way for hackers to feed fake info into DNS listings, which would allow hackers to redirect web traffic at will — for example, routing every person attempting to log in to the Bank of America to a fake site controlled by the attacker.

Kaminsky quietly worked with large tech companies to build patches for the net’s name servers to make the attack more difficult. But security experts, and even the NTIA, say those patches are just temporary fixes; the only known complete fix is DNSSEC — a set of security extensions for name servers.

Those extensions cryptographically sign DNS records, ensuring their authenticity like a wax seal on an letter. The push for DNSSEC has been ramping up over the last few years, with four regions — including Sweden (.SE) and Puerto Rico (.PR) — already securing their own domains with DNSSEC. Four of the largest top-level domains — .org, .gov, .uk and .mil, are not far behind.

But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so-called “root file” with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like cutting down a tree at the trunk. That’s where the politics comes in. The DNS root is controlled by the Commerce Department’s NTIA, which thus far has refused to implement DNSSEC.

The NTIA brokers the contracts that divide the governance and top-level operations of the internet between the nonprofit ICANN and the for-profit VeriSign, which also runs the .com domain.

“They’re the only department of the government that isn’t on board with securing the Domain Name System, and unfortunately, they’re also the ones who Commerce deputized to oversee ICANN,” Woodcock said.

“The biggest difference is that once the root is signed and the public key is out, it will be put in every operating system and will be on all CDs from Apple, Microsoft, SUSE, Freebsd, etc,” says Russ Mundy, principal networking scientist at Sparta, Inc, which has been developing open-source DNSSEC tools for years with government funding, He says the top-level key is “the only one you have to have, to go down the tree.”

A European networking group known as RIPE called in June 2007 for the root to be signed, with Swedish and British representatives echoing the call in October. But NTIA is not moving quickly enough to sign the root, given the looming threat, even after the final technical problems have been resolved, according to Woodcock and others.

“A few years ago, there were still technical hurdles to actually signing and using DNSSEC, but in the past few years, a lot of software tools, both commercial and open-source, have come out, and now it’s a completely solved problem,” Woodcock said. “All that’s left is the far less tractable, purely political problem.”

“Arguing over who gets to hold the cryptographic keys in the long run [should] wait until we’re not facing a critical threat,” Woodcock said.

But the NTIA insists it is moving at just the right pace.

“We are committed to taking no action that would have the potential to adversely affect the operational stability of the DNS,” says spokesman Bart Forbes. “While there is increasing pressure to secure the DNS, NTIA must work with all stakeholders and consider all possible solutions.”

Olaf Kolkman, a Dutch networking export, says there’s no time to waste. The only way for DNSSEC to work is for the top-level zone file — which lists the specifics for top-level domains like .gov — to be signed by a trusted authority.

“Currently DNSSEC is the only mechanism known to protect against the Kaminsky attack,” Kolkman said. “It is not clear that other solutions will provide the same level of protection as DNSSEC.”

Without such extensions, a hacker eager for trade secrets could hijack the DNS listing for Apple’s e-mail server and insert the number for a server he controls instead. He could then keep a copy of every message sent to the company and forward them all. No one would likely to be any wiser until a human looked closely at the mail headers.

Still, even DNSSEC’s most fervent backers admit that signing the root won’t instantly secure the net. Installing the extensions internet-wide will be costly and time-intensive, but proponents say that getting the root signed will turbocharge the process.

The Internet Assigned Numbers Authority — which coordinates the internet — has been prototyping a system to sign the root-zone file for the last year, but they can’t do the same for the internet’s top servers without approval from the Department of Commerce.

That’s where the rub is, according to Kolkman.

“Then the issue becomes political because there seems to be the perception that the introduction of a key guardian changes the current policies,” Kolkman said

That could also simplify how top-level zone files are created, according to Richard Lamb, a technical expert at IANA. Currently companies that manage top-level domains like .com submit changes to ICANN, which then sends them to NTIA for approval, before they’re forwarded to VeriSign. VeriSign actually edits the root file and publishes it to the 13 root servers around the world.

“We would want to bring the editing, creation and signing of the root zone file here,” to IANA, Lamb said, noting that VeriSign would likely still control distribution of the file to the root servers, and there would be a public consultation process that the change was right for the net.

But changing that system could be perceived as reducing U.S. control over the net — a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations, and its push to control the root-zone file could push the U.S. to give more control to VeriSign, experts say.

VeriSign did not respond to a request for comment, but its CTO said earlier this year that it was creating its own root-zone file-signing test bed.

The root-zone file, which contains entries for the 300 or so top-level domains such as .gov and .com, changes almost every day, but the number of changes to the file will likely increase radically in the near future, since ICANN decided in June to allow an explosion of new top-level domain names.

Woodcock isn’t buying the assurances of NTIA that it is simply moving deliberatively.

“If the root isn’t signed, then no amount of work that responsible individuals and companies do to protect their domains will be effective,” Woodcock said. “You have to follow the chain of signatures down from the root to the top-level domain to the user’s domain. If all three pieces aren’t there, the user isn’t protected.”

Original URL: http://blog.wired.com/27bstroke6/2008/08/experts-accuse.html

The fact that Myspace.co.uk was originally used to offer email services and websites to subscribers meant TWS had insulated itself from an action for some time. But MySpace’s main argument to Nominet centred on the most recent use of the domain as a Pay Per Click website which sent MySpace.co.uk visitors to a parked page with advertisements for social networking websites including MySpace. MySpace Inc says the practice started in July 2005 when News Corp took it over, boosting its fame, but TWS claims it was “at least” before June 2005.

Secondly, at issue was whether parking the .co.uk domain had become “abusive” when the PPC ads changed because MySpace.com became well known. In the case of MySpace.co.uk, the ads on the parked domain did change to “reflect the fame of MySpace.com”, admitted TWS, “but that had happened automatically as a result of the algorithms used by parking company Sedo.” In other words, TWS fingered the firm servicing the ads. While MySpace Inc. argued that TWS should have exercised control over the content of the adverts, TWS said this did not constitute a “change of use”.

The three-person appeal panel said they were “reluctant to place any duty on a registrant, who has merely had the good fortune (or maybe ill fortune) to register a name in good faith…” so long as they don’t exploit the situation.

There appears to be no more steps that MySpace can take within the Nominet DRS arbitration process to challenge TWS’s right to hold onto the name. So it’s the end of the line – unless there is further action MySpace can take through the civil courts.

Total Web Solutions also claims that Nominet tried to “unfairly help” MySpace by at first denying the existence of emails sent between solicitors and MySpace which may have aided TWS’s case. The solicitor who represented Total Web Solution in the case, Jim Davies, is now standing for election to the Nominet board, as he believes it’s unwise to “operate the DRS (Domain Resolution Service) from within the company.” Davies has been involved in a number of the more high profile domain name disputes in the UK recently.

Total Web Solutions’ Managing director Paul Fallon issued a statement saying “We refused to be bullied by one of the largest media organisations in the world. This has been a very stressful case for a legitimate medium sized ISP to have to take on – but we had to defend our reputation and to stand up for what was right.”

Of course, the MySpace.co.uk domain is now effectively worthless since TWS would be ill-advised to do anything with it at all now. It is currently displaying a blank page. MySpace continues to use uk.myspace.com/. A MySpace spokesperson declined to comment.

Original URL: http://uk.techcrunch.com/2008/04/29/myspacecom-loses-myspacecouk-on-appeal/

DotAsia, the organisation overseeing the registration, is expecting huge demand for the first domain name extension for the Asia Pacific region.

But some in the industry are concerned about the proliferation of domain name suffixes in recent years.

While others think that the business of buying domain names has become more about protecting brands than promoting them.

Cybersquatting
Work to create the .asia domain began in 2000 with the DotAsia Organisation winning official approval to set up the domain in 2006.

A so-called sunrise period, where companies can reserve domains to match their trademarks, has been ongoing since October.

Now the process has been opened up for anyone to register and the first .asia domains will go live on the internet in March.

Thomas Herbert, a product manager from UK hosting firm and registrar Hostway, believes the nature of buying domain names has changed, largely due to the lucrative businesses of cybersquatting.

“People are willing to pay big money for a domain and with domain name reselling on the increase, it has become a matter of protecting your trademark,” he said.

As well as cybersquatting there can be legitimate battles over suffixes.

For example, in the sunrise period for the .eu domain, there were some 95,000 conflicting claims for domains.

The www.polo.eu domain was applied for by car maker Volkswagen, fashion house Ralph Lauren and sweet manufacturer Nestle.

To limit squabbles and cybersquatting this time around, the DotAsia Organisation, has put in place certain rules.

Companies must be already registered in the Asia/Pacific region to qualify and if there are any conflicts of interest, the domain will be auctioned off to the highest bidder.

Such restrictions are likely to increase as more domain names come online, thinks Mr Herbert.

Leona Chen, spokeswoman for the DotAsia Organisation, anticipated plenty of interest and hoped the suffix could have as significant an impact in Asia as .com has globally.

“We are ready for something big. All of our people and systems are in place and we look forward to the commencement of the .asia landrush,” she said.

Too many?
UK domain name registrar NetNames pointed out that the number of firms registering interest is considerably lower than for the sell-off of the eu domain in April 2006.

“Only 30,780 applications have been filed for .asia domain names so far compared with 330,000 at the same point in the launch of the .eu domain name,” said Jonathan Robinson, chief operating officer of NetNames.

He advised firms to get onboard quickly.

“Once it starts, there’s far less protection for companies’ trademarks and its open season on the .asia domain name for cybersquatters, online speculators and competitors,” he said.

According to a report from Nominet, the overseer of the .uk registry, there is an active market in buying, selling and storing domain names, with sales regularly exceeding £100,000 and peak values reaching more than £1m.

While some of these resales are legitimate there was also a big market for speculators, said Nominet chief executive Lesley Cowley.

She was concerned that a sudden leap in the number of domain names could leave companies confused as to which ones they need to register for.

“The current process being developed by Icann (the Internet Corporation for Assigned Names and Numbers) means there could be a couple of hundred or even thousands of new suffixes to bid for by the end of the year,” she said.

The .asia domain name extends to some 70 countries, from the Middle East to Australia. 60% of the world’s population lives within the Asia-Pacific region and there are 400 million internet users.

Other regional suffixes for Africa and Latin America are expected to follow.

Original URL: http://news.bbc.co.uk/1/hi/technology/7255320.stm

When security researchers investigate spam and phishing activity on the internet, they rely on special Whois directories, which list the owner of a domain name, their hosting service and their contact information.

They can use the information to track down who is responsible for a particular scam and to notify innocent webmasters if a portion of their site has been hijacked by black-hat hackers.

ICANN, which sets the rules for the internet’s top-level domain names such as .com and .net, has traditionally required registrars to make Whois data publicly searchable as a condition of the companies’ right to sell domain names.

But Global Name Registry, or GNR, which administers domain names ending in .name (that are intended for use by individuals e.g., johndoe.name), won the right to create tiered levels of Whois access, where public searches show very little information beyond what registrar sold the name and what name servers the site uses.

The site sells five passwords, good for 24 hours only, for $2.

That’s $2 too much for security researcher Gadi Evron, one of the leading authorities on zombie computer networks. “What they have done is made sure the .name TLD is free haven for bad guys to lurk on,” Evron said. “If I need to report 1,000 domains, I’m not going pay $2,000.”

Paul Ferguson, a network architect at the security giant Trend Micro, said just this week he’s seen black hats finding ways to spread malware through name computers.

Swa Frantzen, a Belgian volunteer handler at the SANS Internet Storm Center, which monitors the net for threats, brought the policy to light on Saturday, after he was looking into some odd JavaScript reported to the center.

The domain name indicated that a legitimate .name site might have been hacked, but the .name portion of the domain name didn’t feel right, Frantzen said. The Whois information might have let him figure it out.

But Frantzen refused to pay.

“It feels like extortion,” Frantzen said. “No matter the small amounts involved, it becomes a problem as it means spending money, authorizations, purchases orders and having authorized users for credit cards. All sorts of things that slow it down dramatically.”

Whois data typically includes the name of the purchaser, a physical and e-mail address, as well as information about who hosts the site and what its name server is.

In recent years, registrars have been allowing veiled registrations so that domain-name owners can hide their identity, but still be contacted in case of an emergency or if they are served with legal papers.

Karen Lentz, ICANN’s domain registrar liaison, says that GNR is allowed to keep the data behind a paid firewall as part of its contract with ICANN, and to comply with British privacy laws.

“There is certain data that is minimal data that is free, and there is tiered access to more detailed information,” Lentz said. “One level involves paying a fee to get you access to more data for a limited period of time.”

“The whole point of having this service is to make it efficient,” Lentz said.

Another ICANN employee dismissed security researchers’ concerns about paying for the data.

“I don’t know why that matters,” she said. “Is this (reporter phone call) really worth $2 of your life?”

GNR did not reply to a request for comment by deadline.

But security researcher Evron says the move to a pay system demonstrates a larger truth about names and the internet.

“The domain name system has grown bigger than it was ever planned to be, is doing more than it was ever intended to do and does it proudly,” Evron said. “But the governance around it has become profit-based, and we have no fallback system to handle criminal organizations and countries that abuse domain names.”

Storm center volunteer Frantzen suggests that most domain name owners would benefit from making e-mail address available through the Whois system.

“Just imagine you get a call from us telling you about a problem and offering help to fix it, versus you getting a call from your ISP informing you they shut down your server due to a breach of policy,” Frantzen said.

Original URL: http://www.wired.com/politics/security/news/2007/09/dot_name

Lulu.com, a service that lets members publish, print and sell their own books, has been around for five years, according to the company. Hulu.com is a joint digital video partnership between NBC Universal and News Corp., whose corporate entity N-F Newsite announced the name last week. The lawsuit, filed Wednesday in U.S. District Court in North Carolina, charges N-F Newsite with trademark infringement, unfair and deceptive trade practices, and federal cyberpiracy.

“We have spent more than five years and tens of millions of dollars in investment successfully building the Lulu brand and website into a place for millions of creators and consumers to publish, buy, sell and manage digital content,” Lulu CEO Bob Young said in a statement.

According to gossip site Valleywag, News Corp. took over the domain Hulu.com from a small family that used the site for posting family photos.

Original URL: http://news.com.com/8301-10784_3-9772407-7.html

The Internet Corporation for Assigned Names and Numbers (ICANN) is likely to approve North Korea’s country domain “.kp” at a meeting in Los Angeles starting in October, Suh Jae-Chul, a board member, told AFP.

“ICANN is expected to approve North Korea’s country code top level domain as it did recently ‘.ps’ for Palestine and ‘.eu’ for the European Union,” Suh said.

“This means that North Korea is becoming more active in engaging in Internet activities,” he said.

Professor Kim Young-Soo, an expert on North Korea at Sogang University, said Internet access in the North was still strictly limited.

“Access to the Internet is tightly controlled there as if it were a top secret,” he said.

North Korea keeps itself closed to the outside world to prevent so-called spiritual pollution from subverting its hardline socialist system.

TVs and radios are tuned to official channels only. The media is a propaganda tool and the leadership is aware of the Internet’s potential to stir up dissent.

It operates its own version of the Internet, a highly censored Intranet that has its own messaging function, Kim Young-Soo said.

It is policed by the Korea Computer Center, North Korea’s window on the worldwide web and its leading high-technology research and development hub.

The centre, set up in 1990, acts as the regime’s gatekeeper, selecting only approved information and downloading it onto the Intranet.

Content is mostly limited to science and technology and available only to selected research institutes, universities, factories and a few individuals.

A German portal set up a joint venture with North Korea in 2004. But South Korea’s Unification Ministry has estimated that only a tight circle of leaders, including Kim Jong-Il and his military henchmen, would have direct access to the Internet.

Original URL: http://news.yahoo.com/s/afp/20070817/tc_afp/itinternetnkorea

This seemingly minor change to the already loose requirements for Web site registration is being advocated by an unholy alliance of privacy ideologues, primarily in the European Union, and greedy Internet service providers. The former group argues that the less that is known about a Web site owner, the better that person’s rights are protected. The ISPs supporting the change see it as a way to generate more business, though most of it is likely to be from crooks who, ironically, rip off Internet users by violating their privacy.

One of the most pernicious types of online crime is phishing. With a phishing scam, criminals lure consumers to visit a counterfeit Web page that looks identical to, say, a bank’s site and then dupe the visitors into entering personal information. The crooks drain their marks’ bank accounts or run up their credit card limits. Consumer Reports says that more than a million people lost a total of $2.1billion during the past two years from phishing. Without WHOIS, the situation would be massively worse.

Today, legitimate businesses work vigilantly to protect their customers and their companies’ reputations online. They hire brand-protection services that hunt down and shutter phishing sites. These third-party phisher killers are needed because law enforcement agencies lack the bandwidth to stop the bad guys. The crooks know this, so they have no fear of legal retribution. Indeed, MarkMonitor, a brand-protection service, claims that phishing incidents increased 104% in this year’s first quarter compared with the same period last year.

In a variation on phishing, typosquatters prey on online consumers’ poor typing skills. Brand protector CitizenHawk says, “Digital thieves use sophisticated, automated systems to purchase dozens, if not hundreds, of possible misspellings of domain names … to build vast networks of Web sites to siphon traffic away from legitimate companies.” The reason they siphon that traffic is to steal personal information from clueless visitors.

WHOIS is one small tool available to identify the ISP serving a bogus Web site and force it to shut the site down. Without WHOIS, it could take days instead of hours to locate and terminate a phisher’s or typosquatter’s presence.

ICANN is said to be leaning toward adopting operational point of contact, a policy that would eliminate the requirement that site owners identify themselves in WHOIS. An alternate policy, known as special circumstances, would let individuals and organizations — say, political dissidents or homes for battered women — hide their WHOIS data from prying eyes. That’s a far better option.

But why make any change? WHOIS has been with us since the earliest days of the Internet. There will be no appreciable privacy gains by adopting a new policy, except in the abstract thinking of privacy-rights zealots. In the real world of the World Wide Web, it’s more likely that increasing numbers of people will get their private information stolen if ICANN embraces operational point of contact for WHOIS. That would be criminally negligent.

WHOIS is not just about protecting corporate brands and unwary consumers. It’s a good educational tool for kids, too. Visit www.martinlutherking.org, a Web site targeting schoolchildren. With WHOIS, you can run a search on its owner. Turns out the site is run by Stormfront Inc., a group that proclaims itself to be of interest to “pro-White activists and anyone else interested in White survival.” But not those interested in the truth about Martin Luther King Jr.

Let’s keep WHOIS data available to help sustain commerce on the Web, protect people’s privacy and enhance our kids’ educations.

Original URL: http://www.computerworld.com/action/…/300493

A U.N. agency has ruled that ownership of the domain name thesimpsonsmovie.com must be handed to News Corp.’s Twentieth Century Fox, which owns the rights to the film and the popular TV series.

Twentieth Century Fox complained to the World Intellectual Property Organization over the use of the film’s name in the Internet address of a site registered by Keith Malley of Brooklyn, New York.

Malley was using the address to divert Internet users to a Web site that included sexually explicit depictions of several characters from The Simpsons and, later, to his “Keith and the Girl” Web site. He was demanding a $50,000 fee from Twentieth Century Fox for the domain name, according to the July 22 ruling of the WIPO arbitration panel.

It found that Malley “has no rights or legitimate interests with respect to the domain name” and ordered its immediate return.

The arbitration system, which was set up in 1999, allows those who think they have the right to a domain to gain control of it without having to fight a costly legal battle or pay large sums of money. Tom Cruise, Nicole Kidman and Madonna are among the Hollywood stars who have previously won rulings against so-called “cybersquatters.”

“The animated television series ‘The Simpsons’ debuted in 1989, and has become one of the longest running network series in television history,” the ruling said, noting that Friday’s release of the film has generated huge public interest on the Internet.

WIPO said Malley’s “aim in registering the disputed domain name was to profit from and exploit” Twentieth Century Fox’s trademark to promote and sell his own products and merchandise. The domain name has been registered since 1999.

Malley, who didn’t submit a defense in the case, did not respond to an e-mail seeking comment, and his telephone number is not listed.

Original URL: http://news.yahoo.com/s/ap/20070725/ap_on_hi_te/un_the_simpsons

The initial round, which starts Oct. 9, is limited to governments desiring geographical names such as “china.asia” and those with trademarks applied before March 16, 2004, and actively in use. Registrations for other trademarks and for company names begin Nov. 13.

The Internet’s key oversight agency for domain names, the Internet Corporation for Assigned Names and Numbers, approved the “.asia” domain in October.

DotAsia Organization Ltd., an organization made up of groups that run domain names for China, Japan, South Korea, Vietnam and other countries, will operate “.asia,” which it sought as a way to unify businesses and other users in the Asia-Pacific region.

The organization has said it plans to restrict registrations to those in the region, which includes Australia.

Applications for the older, active trademarks will close on Oct. 30, and all other applications in the so-called “sunrise” period will be accepted until Jan. 15. General registrations will come after that, though DotAsia did not specify when.

To discourage automated tools aimed at flooding the system on opening day, DotAsia will scrap the first-come, first-served model during the early registration period. Rather, all applications in a given round will be treated equally, with an auction held when two or more qualified applicants seek the same name.

DotAsia did not say when winning applications could start using the names.

Fees are likely to vary depending on which registration company an applicant chooses to process the name on DotAsia’s behalf.

The “.asia” name joins “.eu” for the European Union and “.cat” for the Catalan language as regional domains, and there have been calls for additional geographic names like “.berlin,” “.nyc” and “.paris.” Normally domain names are assigned globally, such as “.com” for commercial sites, or for a specific country or territory, like as “.fr” for France.”

Demand for the new names has generally been low, compared with old-timers like “.com,” but many foreign businesses consider “.com” primarily a U.S. domain, and latecomers to the Internet have found the best names already taken.

OrigInal URL: http://news.yahoo.com/s/ap/20070628/ap_on_hi_te/asia_domain

1999 was regarded by many to be the peak of Web 1.0 and likewise 1999-2000 was the previous peak of domain sales. News that Business.com is on the market for $400million shone the spotlight on the domain sales marketplace again. For domain sellers it’s a party again like 1999.

Last week some $10million changed hands at auction for domain sales, with 16 domains being sold for 6 figures. Free Credit Check.com & Credit Check.com sold together for $3million, although as the DomainTools Blog points out this was at a relatively low multiple of around 7x yearly earnings. Seniors.com sold for $1.8 million and even Blogging.com raised $135,000. The exuberance in the market even extends to the spam infested .info domain, with Houston.info selling for $17,000.

Ultimately it’s up to the market to decide the value of anything; however the domain sales market appears to be outperforming the established site marketplace. Buyers of domain names seem willing to pay much higher multiples for a domain name than the buyers in the established sites marketplace are. A good domain name may have a wealth of untapped potential yet many of these domains are used by buyers as nothing more than spammy CPC advertising front ends powered by Google Domain Parking, Sedo and other similar providers.

It would be easy to suggest that the buoyancy in the domain market is indicative of an overall market boom that may inevitably lead to a bust, however the signs in the rest of the market would not suggest that this is the case. The money flooding into domains today is sustained by advertising that wasn’t as prevalent in 1999; the same advertising that sustains much of Web 2.0. Given that internet advertising still only makes up only around 7.0% of the overall advertising spend there’s still a lot of room for growth.. Whether domain name sales rates can stay at this high level though is yet to be seen. I’d think that they are getting close to a peak; the question is will prices plateau or decline once the peak is reached? Certainly if any readers are sitting on some great domain names, there has never been a better time to sell.

Original URL: http://www.techcrunch.com/2007/06/24/domain-sellers-party-like-its-1999/